Presented at
Black Hat Europe 2021,
Nov. 10, 2021, 10:20 a.m.
(40 minutes).
HTTP/2 is easily mistaken for a transport-layer protocol that can be swapped in with zero security implications for the website behind it. Two years ago, I presented HTTP Desync Attacks and kicked off a wave of request smuggling, but HTTP/2 escaped serious analysis. In this presentation, I'll take you to the frontier of HTTP/2 research, to unearth horrifying implementation flaws and subtle RFC imperfections.<br><br>I'll show you how these flaws enable HTTP/2-exclusive desync attacks, with case studies targeting high-profile websites powered by servers ranging from Amazon's Application Load Balancer to WAFs, CDNs, and bespoke stacks by big tech. I'll demonstrate critical impact by hijacking thick clients, poisoning caches, and stealing plaintext passwords to net multiple max-bounties.<br><br>After that, I'll explore novel techniques and tooling to crack open request tunnelling - a widespread but overlooked request smuggling variant affecting both HTTP/1 and HTTP/2 that is typically mistaken for a false positive.<br><br>Finally, I'll share multiple exploit-primitives that resurrect request-line injection, and use HTTP/2 to expose a fresh application-layer attack surface.<br><br>I'll leave you with an open-source scanner with accurate automated detection, a custom, open-source HTTP/2 stack so you can try out your own ideas, and free interactive labs so you can hone your new skills on live systems.<br>
Presenters:
-
James Kettle / albinowax
- Director of Research, PortSwigger
as James Kettle
James 'albinowax' Kettle is the Director of Research at PortSwigger - his latest work includes HTTP desync attacks, web cache poisoning, and automating hunting unknown vulnerability classes. James has extensive experience cultivating novel attack techniques, including server-side RCE via Template Injection, client-side RCE via malicious formulas in CSV exports, and abusing the HTTP Host header to poison password reset emails and server-side caches. He has spoken at numerous prestigious venues including both Black Hat USA and EU, OWASP AppSec USA and EU, and DEFCON.
Links:
Similar Presentations: